Did you Google yourself today? No? How about that person that just applied for a position with your company?  The temptation is easy to understand; ready access to all manner of personal and sometimes salacious information (some of it may even be relevant to the job being applied for) is just a few mouse clicks away. Without question, social networking websites can provide useful information about candidates’ employment history, personal interests or maturity level and can reveal employees' workplace behavior, online harassment or confidentiality violations. Conducting such searches, however, can open a Pandora's box full of information that employers would otherwise never dare to ask for during the application process. Now, a growing number of employers who are not content to review publically available information have resorted to asking for and, in some cases, demanding applicant or employee passwords so that they can access an individual's private online domain. Not only is this unwise, it is now illegal in certain states.

On Wednesday, August 1, 2012, Governor Quinn signed into law an amendment to the Illinois Right to Privacy in the Workplace Act (820 ILCS 52/10) which prohibits employers from requesting or requiring employees or prospective employees to provide passwords or other account information to gain access to a social networking account. Violators may be subject to monetary fines. The law, which takes effect on January 1, 2013, does not limit employers from maintaining policies governing and monitoring Internet, social networking and e-mail use on employer equipment.

Although Illinois is only the second state (after Maryland) to enact such legislation, at least fifteen other states, including California, New Jersey and Michigan, have recently proposed similar laws and the practice may violate already existing state privacy laws. In addition, two federal bills, the Password Protection Act of 2012 and the Social Networking Online Protection Act, have been introduced in Congress.

Moreover, providing others with login and password information is a violation of most website terms of service, and the Department of Justice considers it a security risk and a federal crime to enter social media sites in violation of online user agreements. Therefore, even employers outside Illinois and Maryland should refrain from requesting login and password information to social networking sites from current and prospective employees, unless there is a compelling reason for it.

Even without demanding a login and password, examining applicants' or employees' social networking profiles can expose employers to potential liability. Individuals often reveal information on their website profile about characteristics that are protected by state and federal discrimination laws from consideration in hiring and employment decisions, e.g., religious beliefs, sexual orientation or disability status. Although obtaining this information through public information in online profiles is not itself a legal violation, it can complicate employment disputes where that information would not otherwise become known. Accordingly, employers should develop and implement a policy or procedure that clearly sets forth what types of online information, if any, may be used when making employment decisions, how such information should be obtained, and who should have access to it. Employers may also seek to further protect themselves by using a third-party vendor or designated person (or group) to carry out the task of online data "mining" with the explicit instruction that they are to pass along only that information which is relevant to the employment decision being made.